用C preventing SQL注入 [英] Preventing SQL Injection in C

问题描述

我写一个C程序，需要一些用户输入并做了一些数据库查询。我深知这里的SQL注入的风险，并希望prevent它。

I am writing a C application that takes some user input and does a few database queries. I am well aware of the risks here of SQL injection and wish to prevent it.

在理想情况下，我会用参数化查询，但一直未能找到在C这一功能至今什么。我目前正在建造我的查询这样：

Ideally I would use parameterized queries, but have been unable to find anything with this functionality in C so far. I am currently constructing my queries as such:

char *query;
asprintf(&query, "UPDATE SomeTable SET SomeField='%s';", userInput);

如果我不能做到这一点，那么我必须要过滤用户输入。应如何过滤做些什么呢？是否足以只是删除所有的和s？（有效的输入不能包含它们）。如果是这样，什么是在C这样做的最简单的方法？

If I am unable to do this, then I must need to filter the user input. How should this filtering be done? Is it enough to just remove all 's and "s? (Valid inputs cannot contain them). If so, what is the easiest way of doing this in C?

推荐答案

我相信你想使用prepared报表和参数绑定。不要用户数据直接插到你的查询。请参阅 MySQL手册，获取有关这个信息。

I believe that you want to use prepared statements and parameter binding. Do not directly interpolate user data into your queries. See the MySQL manual for info on this.

这篇关于用C preventing SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！